Hi. I am doing some research on JS and PHP code obfuscation. It seems that there are many methods to do this: base64, gz_inflate, etc. Custom algorithms could even be used for obfuscation purposes. I am simply overwhelmed by the number of obfuscation techniques.

I have two questions which I am unsure of:

How do we detect obfuscated code since there are so many algorithms that could be used?

How do we run obfuscated code? Do we need to de-obfuscate it first?

I apologise if my questions are amateur. I am just a beginner in Computer Security.

logic_earth
—
2013-04-11T08:07:52Z —
#2

First and foremost. DO NOT USE code obfuscation. It is just worthless.

1) You can detected obfuscated code easily, its looks like a mass of random letters and number and other things. Detecting what obfuscating algorithm requires reversing the de-obfuscated function.

2) Depends on how it was obfuscated, is some cases yes in others no.

In either case. Do not bother.

wwb_99
—
2013-04-12T15:11:03Z —
#3

Security-wise it is no help -- it is a poor attempt at Security by Obscurity which is very little security when it comes down to it.

Mittineague
—
2013-04-12T18:16:15Z —
#4

I agree with not obfuscating code.

This is not to say you shouldn't consider minification, which has some similarities in that it is difficult for people to read.eg.a(r);vs.check_syntax(name_input);

jQuery is a good example of how much file weight can be saved by minification. But I sure wouldn't want to work with the minified version.